[keycloak-dev] oauth vulnerabilities

http://intothesymmetry.blogspot.ch/2015/01/top-5-oauth-2-implementation.html I think we're pretty good, the ones I worry about is relative urls in redirect URI checks i.e. "http://cloud.com/provisioned/good-site/../hacker-site" I'll log a bug for this if you agree that relative redirect URLs shouldn't be allowed. (Those containing "." and "..") Another really dangerous thing that we do is have full-scope-allowed set to true by default. If a rogue client gets registered, they pretty much have access to every single application the user can access with all of their privileges. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com